Filebeat

receiving CEF format log using filebeat cef module and send to logstash

While viewing the parsed results, I could see that there was an error tag.

"error": {
  "message": [
    "malformed value for filePath at pos 168",
    "malformed value for attachment at pos 526",
    "malformed value for Incident_SnapshotURL at pos 807"
  ]}

All other items have been parsed normally, and the common point of the filePath, attachment, and Incident_SnapshotURL where the error occurred is that there is "(" ")", and it is judged that an error has occurred.

origin message is
CEF:0|Symantec|DLP|15.5||주요키워드 탐지||Severity=4:정보 action=없음 Match_Count=4 Incident_ID=2726415 status=??? 신규 ??? appname=XXX.exe filePath=C:\\Users\\005034\\Desktop\\XX\\XXXXXX(1008)\\QAXX(1014)\\2020_10월 fname=2020년 10월_XX_XX XX_XX(XXXX)_ver2.xlsx msg=해당 없음 proto=XXXX XX XX XX XXX shost=X2X19X50X0-01 suser=해당 없음 suid=해당 없음 duser=해당 없음 dhost=해당 없음 attachment=C:\\Users\\005034\\Desktop\\XX\\XXXXXX(1008)\\QAXX(1014)\\2020_10월 _XX_XX XX_XX(XXXX)_ver2.xlsx Scan_Date=해당 없음 Incident_SnapshotURL=https://XXXX/ProtectManager/XXXXXXXXXXXX.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2726415 Rules_Names=XXXXX DataOwner_Name=해당 없음 DataOwner_Email=해당 없음 Quaramtine_Parent_Path=해당 없음\u0000

can't parse "(" ")" in filebeat CEF module ????

I looked into the issue and seems to be a valid concern. Would you mind opening an issue for Beats and report this problem?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.